Fully Distrustful Quantum Cryptography 
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In the distrustful quantum cryptography model the different parties have conflicting interests and 
do not trust one another. Nevertheless, they trust the quantum devices in their labs. The aim of 
the device-independent approach to cryptography is to do away with the necessity of making this 
assumption, and, consequently, significantly increase security. In this paper we enquire whether the 
scope of the device-independent approach can be extended to the distrustful cryptography model, 
thereby rendering it 'fully' distrustful. We answer this question in the affirmative by presenting a 
device-independent (imperfect) bit-commitment protocol, which we then use to construct a device- 
independent coin flipping protocol. 



Introduction - A quantum protocol is said to be device- 
independent if the reliability of its implementation can be 
guaranteed without making any assumptions regarding 
the internal workings of the underlying apparatus. The 
key idea is that the certification of a sufficient amount 
of nonlocality ensures that the underlying systems are 
quantum and entangled. By dispensing with the (math- 
ematically convenient but physically untestable) notion 
of a Hilbert space of a fixed dimension, the device- 
independent approach does away with many cheating 
mechanisms and modes of failure, such as, for example, 
those exploited in P, In fact, a device- independent 
protocol, in principle, remains secure even if the de- 
vices were fabricated by an adversary. So far, device- 
independent protocols have been proposed for quantum 
key-distribution J^-Q , random number generation 0, Q , 
state estimation [9| , and the self-testing of quantum com- 
puters [lot . 

In many everyday scenarios (e.g. the use of credit cards 
on the internet, secure identification, digital signatures), 
we need to ensure security not only against an eaves- 
dropper, but crucially against malicious parties partak- 
ing in the protocol, i.e. when Alice and Bob do not trust 
each other. Many important results in quantum cryptog- 
raphy are related to the fundamental primitives in this 
setting: While, on the one hand, quantum weak coin flip- 
ping with arbitrarily small bias is possible fv\\ , arbitrarily 
concealing and binding quantum bit-commitment is im- 
possible '12h14||. However, less secure but non-trivial bit- 
commitment has been shown to be possible with trusted 
devices 
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It is not a priori clear, whether the scope of the device- 
independent approach can be extended to cover crypto- 
graphic problems with distrustful parties. In particular, 
this setting presents us with a novel challenge: Whereas 
in device-independent quantum key-distribution Alice 
and Bob will cooperate to estimate the amount of non- 
locality present, for protocols in the distrustful cryptog- 
raphy model, honest parties can rely only on themselves. 



In this paper we show that protocols in this model are 
indeed amenable to a device-independent formulation. 
As our aim is to provide a proof of concept, we con- 
centrate on one of the simplest, yet most fundamental, 
primitives in this model, bit-commitment. We present 
a device-independent bit-commitment protocol, wherein 
after the commit phase Alice cannot control the value of 
the bit she wishes to reveal with probability greater than 
cos^ (-1) ~ 0.854 and Bob cannot learn its value prior 
to the reveal phase with probability greater than |. We 
then use this protocol to construct a device-independent 
coin flipping protocol with bias ^ 0.336. 

Bit-commitment - A bit-commitment protocol consists 
of two phases. In the commit phase, Alice interacts with 
Bob in order to commit to a bit. In the reveal phase, 
Alice reveals the value of the bit, possibly followed by 
some test that each party carries out to ensure that the 
other party has not cheated. In the time between the 
two phases, which may be of any duration, no actions 
are taken. The security of a protocol is always analyzed 
under the assumption that one of the parties is honest. 
We designate by Pcont, the maximum of the average of 
the probabilities with which Alice can reveal either value 
of the bit without being caught cheating, and by Pgain 
the maximum probability that dishonest Bob learns the 
value of bit before the reveal phase without being discov- 
ered, where these quantities are maximized over the set 
of possible cheating strategies available to Alice and Bob. 
The quantities econt = f'cont - 5 and Cgain = Pgain - 5 
are termed 'Alice's control' and 'Bob's information gain'. 
A protocol with arbitrarily small econt is called arbitrar- 
ily binding, while a protocol with arbitrarily small Cgain 
is called arbitrarily concealing. As already mentioned, 
quantum mechanics does not allow for a protocol to be 
both arbitrarily binding and concealing at the same time. 
In fact, for a 'fair' protocol, in the sense that econt = Cgain, 
econt is bounded from below b y .207 [l6l |. The best 
known protocol gives econt = \ [15|. In contrast, in any 
classical protocol either Alice or Bob can cheat perfectly 
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(^cont — 2 ) ■ 

Device-independence ~ In our device-independent for- 
mulation, we assume that each honest party has one or 
several devices which are viewed as 'black boxes'. Each 
box allows for a classical input Si G {0, 1}, and produces 
a classical output e {0, 1} (the index i designates the 
box). We make the assumption that the probabilities of 
the outputs given the inputs for an honest party can be 
expressed as -P(r|s) — Tr(/ci{^- n^-is.), where p is some 
joint quantum state and Tlnisi is a POVM element cor- 
responding to inputting Si in box i and obtaining the 
outcome r^. Apart from this constraint we impose no 
restrictions on the boxes' behavior. In particular, we al- 
low a dishonest party to choose the state p (which she 
can entangle with her system) and the POVM elements 
nj..|s. for the other party's boxes. 

The above assumption amounts to the most general 
modeling of boxes that (i) satisfy the laws of quantum 
theory, and (ii) are such that the physical process yield- 
ing the output Ti in box i depends solely on the input Si, 
i.e. the boxes cannot communicate with one another. It 
is also implicit in our analysis that no unwanted informa- 
tion can enter or exit an honest party's laboratory. In a 
'fully' distrustful setting, where the devices too cannot be 
trusted, these conditions can be satisfied by shielding the 
boxes. In particular, it is not necessary to carry out mea- 
surements in space-like separated locations to guarantee 
(ii), as in fundamental tests of nonlocality (see [s, 17 1). 
This observation is important because relativistic causal- 
ity is by itself sufficient for perfect bit-commitment and 
coin flipping 1^, 1^. Hence, the fact that we do not rely 
on space-like measurements makes the conceptual impli- 
cations of our work clearer and the quantum origin of the 
security evident. 

The protocol - Our protocol is based on the 
Greenberger-Horne-Zeilinger (GHZ) paradox [ 
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We consider three boxes A, B, and C with binary inputs, 
SA, SB and sc, and outputs r^, J'b and re, respectively. 
The GHZ paradox consists of the fact that if the inputs 
satisfy sa® sb (B sc = 1, we can always have the outputs 
satisfy ® © = saSbSc © 1- This relation can be 
guaranteed if the three boxes implement measurements 
on a three-qubit GHZ state :^(|000) + |111)), where 
Si = (1) corresponds to measuring ay (ax)- In contrast, 
for local boxes this relation can only be satisfied with | 
probability at most. The nonlocal and pseudo-telepathic 
nature of the GHZ paradox - the non-occurrence of cer- 
tain input-output pairs that would necessarily occur in 
any local theory - are key, both to ensure that when 
both parties are honest the protocol does not abort, and 
to ensure that a dishonest party always has a non-zero 
probability of being caught cheating. 

The protocol runs as follows. Alice has a box, A, and 
Bob has a pair of boxes, B and C. The three boxes are 
supposed to satisfy the GHZ paradox. Commit phase: 
Alice inputs into her box the value of the bit she wishes 



to commit to. Denote the input and output of her box 
by SA and r^. She then selects a classical bit a uniformly 
at random. If a = (a = 1), she sends Bob a classical bit 
c = rA {c = VA (B sa) as her commitment. Reveal phase: 
Alice sends Bob sa and r^. Bob first checks whether 
c — rA or c — rA S) SA- He then randomly chooses a pair 
of inputs SB and sc, satisfying sb (B sc = 1 ® s^, inputs 
them into his two boxes and checks that the GHZ paradox 
is satisfied. If any of these tests fails then he aborts. Note 
that if the parties are honest (and the boxes satisfy the 
GHZ paradox), then the protocol never aborts. 

Alice 's control - We consider the worst-case scenario, 
wherein (dishonest) Alice prepares (honest) Bob's boxes 
in any state she wants, possibly entangled with her own 
ancillary systems. Since the commit phase consists of 
Alice sending a classical bit c as a token of her commit- 
ment, without receiving any information from Bob, with 
no loss of generality we may assume that Alice decides 
on the value of c beforehand, and accordingly prepares 
Bob's boxes to maximize her control. Furthermore, since 
Alice's winning probability is invariant under the relabel- 
ing, c c ® 1, rA ^ rA ® 1, rB —> rB ® I, no value of c 
is preferable, and we assume that she sends c — 0. 

Suppose now that Alice wishes to reveal (i.e. she 
sends sa — 0). She will then carry out some operation 
on her systems in order to decide the value of rA to be 
sent. Bob will first check whether = or © = 0, 
and since = it follows that Alice must send rA = 0. 
Subsequently, Bob finds that the GHZ paradox is satis- 
fied whenever rB ^ rc for a choice of inputs such that 
SB Sc- Switching to a more compact notation in which 
yi — (—1)'^' {xi = (—1)'^') designates the output corre- 
sponding to Si = [si — 1), Alice's cheating probability 
in this case equals ^ [P [ubxc — —1) + P {xbVc — ^1)]- 
On the other hand, suppose that Alice wishes to reveal 1. 
Then, may take on any value (since Bob knows that 
in this case = or © 1 = 0), and hence, the only 
relevant test is the satisfaction of the GHZ paradox, i.e. 
whether © rc = sssc © 1 © ''a for a choice of inputs 
such that SB = sc- Alice's cheating probability then 
equals \ [P {yAysyc = -1) + P {xaxbxc = !)]■ Hence, 
Alice's optimal cheating probability is obtained by max- 
imizing over 



- [P [yBXc = -1) + P [xByc = -1) 

+P {xAyByc ^ -'^) + P {xaXbxc ^l)] (1) 

since we consider the average probability that Alice can 
reveal and 1. As this expression involves only a single 
measurement setting for Alice's box, it admits a local de- 
scription, implying that the maximum is obtained when 
Alice's box is deterministic. We see that in both cases 
(i.e. XA — ±1), the problem reduces to maximizing the 
Glauser-Horne-Shimony-Holt (CHSH) inequality [22|, so 
that Pcont = cos^ (f ) ~ 0.854. 
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Bob 's information gain - Bob's most general strategy 
consists of sending Alice a box entangled with some an- 
cillary system in his possession. Depending on the value 
of c he receives from Alice (which is uniformly random 
since Alice is honest), Bob carries out one of a pair of two- 
outcome measurements on his system. We denote Bob's 
binary input and output by tob and gs, where ruB — 
{tub = 1) corresponds to the measurement he carries out 
when AHce sends c — Q {c — 1), and gB — (gs = 1) 
corresponds to his guessing that Alice has committed to 
(1). Bob's information gain is 

p . 

^ gam 

= ^ P{sA,rA, a)P{gB = SA \mB = TA® {sA ■ a)) 
= ^ ^ P{rA\ sa) [P {gs = SA I m_B = ta) 

SA,rA=0, 1 

+P [gB ^ SA\mB = rA® sa)] 
= 1 X! (^-4, gs = SA I SA, niB = rA) 

SA, rA='3, 1 

+P [rA, gB = sa\ SA, rriB = ® sa)] ■ (2) 

Using the fact that P{k, 0|0, k) + P{0, 1|1, k) + 
P(l, 1|1, k) < 1 and P(0, I 0, 0) -I- P(l, | 0, 1) < 
1, which follow from no-signaling (i.e. 

I];=o, 1 P (*A, «B I Ja, 3b) = P{iA \ Ja) and the 
same relation with A o P) and normalization, we 
obtain that Pgain = |- 

Optimal cheating strategies ~ Both Alice and Bob have 
a number of simple optimal cheating strategies available 
to them. Interestingly, both can optimally cheat using 
a three-qubit GHZ state and having the measurements 
of the honest party correspond to the measurement of 
CTy and (Ta; axes (corresponding to inputting and 1), as 
in the GHZ paradox described above. This implies that 
the device-dependent version of our protocol, in which 
(honest) Alice and Bob share a GHZ state and measure 
ay and (recall that in the device-dependent setting an 
honest party can trust its measurement devices), does not 
afford more security. Our protocol has thus the curious 
property that its device-dependent version is essentially 
device-independent, in the sense that its security is not 
compromised in the event that an honest party cannot 
trust its measurement devices. 

Using the GHZ state, dishonest Alice's strategy con- 
sists of measuring the polarization of her qubit along 
the axis fi = ^{x + y). If she obtains then she 
knows she has 'prepared' Bob's boxes in the state 
^ (e-^'^/s |00) + e"/** 111)), and she sends c = 0. If she 
wishes to reveal 0, she tells Bob she had input and ob- 
tained 0. If she wishes to reveal 1, she tells Bob she had 
input 1 and obtained 0. Similarly, if she obtains 1, she 
sends c = 1, etc. It is straightforward to verify that this 



Using the GHZ state, dishonest Bob's strategy consists 
of having Alice measure ay and ax according to the value 
of her commitment. Bob then measures the polarization 
of one of his qubits along the y axis and that of the other 
along the x axis. Whenever his outcomes are correlated, 
in the event that Alice sends c = (c = 1) he guesses that 
she has input 1 (0), while whenever his outcomes are anti- 
correlated he guesses the reverse. It is straightforward to 
verify that this strategy gives rise to an information gain 
off. 

Device-independent coin flipping - (Strong) coin flip- 
ping is defined as the problem of two remote distrustful 
parties having to agree on a bit. If both parties are hon- 
est, then the outcome of the coin is uniformly random. 
The degree of security afforded by a protocol is quanti- 
fied by the biases ef = P/^ — ^ and ef = Pf — 5, where 
P^ {PP) is Alice's (Bob's) maximal probability of bias- 
ing the outcome to i. The quantity e = maxje^, ^f}^j 
is usually referred to as the bias of the protocol. A pro- 
tocol is said to be fair whenever Alice and Bob enjoy 
the same bias. Like bit-commitment, and indeed most 
non-trivial protocols in distrustful cryptography, in the 
classical world its security is completely breached if no 
limits are placed on a dishonest party's computational 
power. In the quantum world the story is different [1? 
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the optimal bias is e = 0.207 
of coin flip pin g, on the other hand, allows for arbitrarily 
small bias 
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We remind the reader of a standard method to imple- 
ment coin flipping using bit-commitment: Alice commits 
to a random bit a. Bob sends a random bit b to Alice, 
and then Alice reveals a. The outcome of the coin flip 
is just a (B b. In particular, ef = econt and ef = egain- 
Using this construction with our device- independent bit- 
commitment protocol, we obtain a device-independent 
coin flipping protocol with biases ef = cos^ (^) — ^ ~ 
0.354 and ef = ^. 



strategy gives rise to Pcont = cos 



: 0.854. 



Since ef > ej , this construction advantages Alice. It 
is possible to lower the bias by equalizing the individual 
biases. Consider a new coin flipping protocol which con- 
sists of two repetitions of the above coin flipping protocol 
as follows. The result of the first (in which Alice com- 
mits) is used to determine who commits in the second. 
Say if the outcome is (1), then Alice (Bob) commits in 
the second. It is no longer a priori clear what strategy 
Alice should adopt in the first repetition, since, in prin- 
ciple, it may be beneficial for her to adopt one in which 
she sometimes loses the first coin flip, but increases her 
chances of making it to the second repetition (by not 
getting caught cheating in the first repetition in which 
case Bob aborts). Nevertheless, it is evident that Alice's 
maximal cheating probability is bounded from above by 
cos^ (f ) + (1 - cos^ (f )) • I ~ 0.838. On the other hand. 
Bob never gets caught cheating in the first repetition 
(though he may of course lose), therefore Bob's maximal 
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0.827. 



cheating probability is just | cos^ (f ) + I ' f 
By allowing for more repetitions (the n — 1 th repetition 
determining who commits in the nth, etc.) we obtain 
that the biases and of the resulting protocol are 
bounded from above by ~ 0.336. 

Discussion - By introducing explicit device- 
independent bit-commitment and coin flipping protocols, 
we have shown that protocols in the distrustful cryptog- 
raphy model - wherein Alice and Bob do not cooperate 
to estimate the amount of nonlocality present - are 
amenable to a device-independent formulation. The 
fascinating connection between quantum nonlocality 
and cryptography, first noted by Ekert twenty years ago 
[27j . is thus seen to apply also in the very rich field 
of cryptography with mutually distrustful parties (and 
devices), affording us with a novel perspective on the 
connection between cryptography and the foundations 
of quantum mechanics. 

To conclude, we would like to point out some notable 
features of our protocols, (i) The protocols are single- 
shot and do not rely on any statistical estimation of the 
amount of nonlocality such as in the testing the degree 
of violation of a Bell inequality (even though their secu- 
rity is of course based on nonlocality). (ii) The device- 
dependent version of our protocol does not offer more 
security than the device- independent version, (iii) Since 
our security analysis is device-independent, it also covers 
the case where Alice's and Bob's outputs are affected by 
noise. Note that the analysis of noisy classical coin flip- 
ping in 2^ 2^ allows us to compute the quantum advan- 
tage in this case, (iv) The security afforded by our device- 
independent protocols is reasonably close to (though of 
course greater than) that of the best known device- 
dependent protocols. For the bit-commitment protocol 
we have Pcont — 0.854 and Pgain = f i as compared to 
Pcont = Pgain = | for the bcst known device-dependent 
protocol. The coin flipping protocol has a bias of 0.336, 
as compared to 0.207 in the device-dependent case, (v) 
Our work allows the study of bit-commitment and coin 
flipping in the context of theories other than quantum 
mechanics. Indeed, it relies only on the GHZ paradox 
(to define the protocol in the honest case), on Tsirelson's 
bound on the CHSH inequality violation (which limits 
Alice's control) and on the no-signaling principle (which 
limits Bob's information gain). Curiously, the security of 
the protocol would increase if Tsirelson's bound were to 
decrease, reaching Pcont = Pgain = | if it were equal to 
the local causal bound. In a theory constrained only by 
no-signaling, our protocol is no longer secure as PR boxes 
[30j allow to maximally violate the CHSH inequality, im- 
plying Pcont — 1- Note that perfect bit-commitment 
was shown to be possible provided that honest parties 
have access to PR boxes and under the strong hypothe- 
sis (which we do not make) that a dishonest party can- 
not in any way tamper with the boxes 31]. It is an open 
question whether there exists a quantum bit-commitment 



protocol that is secure against dishonest parties limited 
only by the no-signaling principle, as is the case in quan- 
tum key-distribution [J, |32] . 
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